Secure instant payments for individuals in the EU
In its Opinion published on 19 December 2022, the EDPS welcomes the proposed Regulation aiming to increase the use of instant credit transfers, in an efficient and accurate way. In particular, the EDPS welcomes the proposed measures aiming to resolve issues linked to instant credit transfers, under the current Regulations. Namely, tackling the high rate of rejected instant payments due to the misidentification of individuals.
Wojciech Wiewiórowski, EDPS, said: “Individuals make payments multiple times a day; they need to be able to trust confidently that their payment data, and other related personal data, are protected securely when carrying out transactions, such as credit transfers. In light of this, I welcome the proposed Regulation as a legislative instrument that aims to protect individuals in the EU, their personal data and financial interests.”
The Opinion that the EDPS has issued focuses on two measures of particular relevance to data protection.
The EDPS welcomes the proposed Regulation’s measure that aims to address payers’ concerns about the security of instant payments. The proposed Regulation would oblige payment service providers to verify jointly whether the identity of the payee matches, prior to the payer authorising the transaction. The EDPS views this measure positively; taking note that this procedure gives payers the opportunity to compare their information with the response generated by the payment system. Therefore allowing payers to make informed decisions about whether it is safe to authorise the payment. The EDPS also welcomes that the proposed Regulation gives payers the possibility to opt-out of these security measures, when these are not needed.
Concerning the high rate of rejected instant payments triggered by misidentifying individuals with individuals on EU sanctions lists, the proposed Regulation foresees to set up periodic verifications of payers’ information. This measure will consist of verifying periodically payers’ information against information in EU sanctions lists, instead of verifying this information for each transaction. Reviewing this, the EDPS welcomes these measures as a way of checking payers’ information in a more efficient and accurate way, to avoid individuals having to experience unwarranted payment refusals.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.